source/adminguide/locale/zh_CN/LC_MESSAGES/accounts.mo (25 lines of code) (raw):
��������N�����������������������������������������������������������:�����������J�������g�������x���p���]�������� ������b
������k
��6����
��0����
��-����
��6���!���,���X�������������������������������]
��
���e
������s
��#����
�������
�������
������]�������q�������������������<�������E���������������5���&���<���\���U�����������������������$�����������)�������@�������V���������������������������g���(�����������������������6���)���U������������������Y�������6�������?���0���*���p���%�������l�������S���. ��|���� ������� ��T����!��t����"������w"�������#��0���>%������o%�� ���7&��r���X&�������&������n'�� ����(�������(�������*��&����*��,���C+������p+�������.�������/�������/�������/�������/��}����/������z1�������1�������1������P2������h4�������4�������4��0����5��0���C5��-���t5�������5��!���6�������6�������6��x����6������.7������27������?7������N7������e7������z7�������8�������8�������8��b���U9��3����:��H����:������5;��8���N;��:����;��3����;�������<��
����=������
>������&>������=>������S>�������>�������>�������?�������?�������@��o����@������1A��*���NA������yA�������A��\����A�������B�������B��&����D�������E��A����E��V���=G��Z����G�������G��K���}H��^����H������(I��w��� J��'����K�������K�������L��\����L��{����M��^����M�� ����N�������N�������O�������P��%����Q��*���=Q���%e�%n�%u�Accounts�Accounts are grouped by domains. Domains usually contain multiple accounts that have some logical relationship to each other and a set of delegated administrators with some authority over the domain and its subdomains. For example, a service provider with several resellers could create a domain for each reseller.�Accounts, Users, and Domains�Active Directory�Administrators are accounts with special privileges in the system. There may be multiple administrators in the system. Administrators can create or delete other administrators, and change the password for any user in the system.�An LDAP query is relative to a given node of the LDAP directory tree, called the search base. The search base is the distinguished name (DN) of a level of the directory tree below which all users can be found. The users can be in the immediate base directory or in some subdirectory. The search base may be equivalent to the organization, group, or domain name. The syntax for writing a DN varies depending on which LDAP server you are using. A full discussion of distinguished names is outside the scope of our documentation. The following table shows some examples of search bases to find users in the testing department..�An account typically represents a customer of the service provider or a department in a large organization. Multiple users can exist in an account.�ApacheDS�Base directory and query filter�Behavior of Dedicated Hosts, Clusters, Pods, and Zones�CN=Administrator, OU=testing, DC=company, DC=com�CN=Administrator,DC=testing,OU=project,OU=org�Dedicated hosts can be used in conjunction with host tags. If both a host tag and dedication are requested, the VM will be placed only on a host that meets both requirements. If there is no dedicated resource available to that user that also has the host tag requested by the user, then the VM will not deploy.�Dedicating Resources to Accounts and Domains�Description�Domain Administrators�Domain administrators can perform administrative operations for users who belong to that domain. Domain administrators do not have visibility into physical servers or other domains.�Domains�Email address�Example Bind DN�Example LDAP Configuration Commands�Example Search Base DN�Explicit dedication. A zone, pod, cluster, or host is dedicated to an account or domain by the root administrator during initial deployment and configuration.�First and last name�For each account created, the Cloud installation creates three different types of user accounts: root administrator, domain administrator, and user.�For explicit dedication: When deploying a new zone, pod, cluster, or host, the root administrator can click the Dedicated checkbox, then choose a domain or account to own the resource.�For implicit dedication: The administrator creates a compute service offering and in the Deployment Planner field, chooses ImplicitDedicationPlanner. Then in Planner Mode, the administrator specifies either Strict or Preferred, depending on whether it is permissible to allow some use of shared resources when dedicated resources are not available. Whenever a user creates a VM based on this service offering, it is allocated on one of the dedicated hosts.�Hostname or IP address and listening port of the LDAP server�How to Dedicate a Zone, Cluster, Pod, or Host to an Account or Domain�How to Use Dedicated Hosts�If the CloudStack user name is the LDAP display name:�If the CloudStack user name is the same as the LDAP user ID:�If the LDAP server requires SSL, you need to enable it in the ldapConfig command by setting the parameters ssl, truststore, and truststorepass. Before enabling SSL for ldapConfig, you need to get the certificate which the LDAP server is using and add it to a trusted keystore. You will need to know the path to the keystore and the password.�If you delete an account or domain, any hosts, clusters, pods, and zones that were dedicated to it are freed up. They will now be available to be shared by any account or domain, or the administrator may choose to re-dedicate them to a different account or domain.�LDAP Server�Managing Accounts, Users and Domains�OU=testing, DC=company�OU=testing, O=project�Preferred implicit dedication. The VM will be deployed in dedicated infrastructure if possible. Otherwise, the VM can be deployed in shared infrastructure.�Query Filter�Query Filter Wildcard�Resource Ownership�Resources belong to the account, not individual users in that account. For example, billing, resource limits, and so on are maintained by the account, not the users. A user can operate on any resource in the account provided the user has privileges for that operation. The privileges are determined by the role. A root administrator can change the ownership of any virtual machine from one account to any other account by using the assignVirtualMachine API. A domain or sub-domain administrator can do the same for VMs within the domain from one account to any other account in the domain or any of its sub-domains.�Root Administrator�Root administrators have complete access to the system, including managing templates, service offerings, customer care administrators, and domains�SSL Keystore Path and Password�SSL keystore and password, if SSL is used�Search Base�Search User Bind DN�Search user DN credentials, which give CloudStack permission to search on the LDAP server�Strict implicit dedication. A host will not be shared across multiple accounts. For example, strict implicit dedication is useful for deployment of certain types of applications, such as desktops, where no host can be shared between different accounts without violating the desktop software's terms of license.�System VMs and virtual routers affect the behavior of host dedication. System VMs and virtual routers are owned by the CloudStack system account, and they can be deployed on any host. They do not adhere to explicit dedication. The presence of system vms and virtual routers on a host makes it unsuitable for strict implicit dedication. The host can not be used for strict implicit dedication, because the host already has VMs of a specific account (the default system account). However, a host with system VMs or virtual routers can be used for preferred implicit dedication.�The CloudStack query filter wildcards are:�The administrator can live migrate VMs away from dedicated hosts if desired, whether the destination is a host reserved for a different account/domain or a host that is shared (not dedicated to any particular account or domain). CloudStack will generate an alert, but the operation is allowed.�The bind DN is the user on the external LDAP server permitted to search the LDAP directory within the defined search base. When the DN is returned, the DN and passed password are used to authenticate the CloudStack user with an LDAP bind. A full discussion of bind DNs is outside the scope of our documentation. The following table shows some examples of bind DNs.�The command must be URL-encoded. Here is the same example without the URL encoding:�The following examples assume you are using Active Directory, and refer to user attributes from the Active Directory schema.�The following shows a similar command for Active Directory. Here, the search base is the testing group within a company, and the users are matched up based on email address.�The following shows an example invocation of ldapConfig with an ApacheDS LDAP server�The next few sections explain some of the concepts you will need to know when filling out the ldapConfig parameters.�The query filter is used to find a mapped user in the external LDAP server. The query filter should uniquely map the CloudStack user to LDAP user for a meaningful authentication. For more information about query filter syntax, consult the documentation for your LDAP server.�The root administrator can dedicate resources to a specific domain or account that needs private infrastructure for additional security or performance guarantees. A zone, pod, cluster, or host can be reserved by the root administrator for a specific domain or account. Only users in that domain or its subdomain may use the infrastructure. For example, only users in a given domain can create guests in a zone dedicated to that domain.�There are several types of dedication available:�To explicitly dedicate an existing zone, pod, cluster, or host: log in as the root admin, find the resource in the UI, and click the Dedicate button. |button to dedicate a zone, pod,cluster, or host|�To find a user by email address:�To set up LDAP authentication in CloudStack, call the CloudStack API command ldapConfig and provide the following:�To understand the examples in this section, you need to know the basic concepts behind calling the CloudStack API, which are explained in the Developer’s Guide.�To use an explicitly dedicated host, use the explicit-dedicated type of affinity group (see `“Affinity Groups” <virtual_machines.html#affinity-groups>`_). For example, when creating a new VM, an end user can choose to place it on dedicated infrastructure. This operation will succeed only if some infrastructure has already been assigned as dedicated to the user's account or domain.�User name�Username is unique in a domain across accounts in that domain. The same username can exist in other domains, including sub-domains. Domain name can repeat only if the full pathname from root is unique. For example, you can create root/d1, as well as root/foo/d1, and root/sales/d1.�Users�Users are like aliases in the account. Users in the same account are not isolated from each other, but they are isolated from users in other accounts. Most installations need not surface the notion of users; they just have one user per account. The same user cannot belong to multiple accounts.�Using an LDAP Server for User Authentication�You can use an external LDAP server such as Microsoft Active Directory or ApacheDS to authenticate CloudStack end-users. Just map CloudStack accounts to the corresponding LDAP accounts using a query filter. The query filter is written using the query syntax of the particular LDAP server, and can include special wildcard characters provided by CloudStack for matching common values such as the user’s email address and name. CloudStack will search the external LDAP directory tree starting at a specified base directory and return the distinguished name (DN) and password of the matching user. This information along with the given password is used to authenticate the user..�Project-Id-Version: Apache CloudStack Administration RTD
Report-Msgid-Bugs-To:
POT-Creation-Date: 2014-06-30 12:52+0200
PO-Revision-Date: 2014-06-30 12:03+0000
Last-Translator: FULL NAME <EMAIL@ADDRESS>
Language-Team: Chinese (China) (http://www.transifex.com/projects/p/apache-cloudstack-administration-rtd/language/zh_CN/)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Language: zh_CN
Plural-Forms: nplurals=1; plural=0;
�%e�%n�%u�账户�帐户通常按域进行分组。域中经常包含多个账户,这些账户间存在一些逻辑上关系和一系列该域和其子域下的委派的管理员(这段的意思就是说在逻辑上域下可以有管理员,子域下也可以有管理员)。比如,一个服务提供商可有多个分销商这样的服务提供商就能为每一个分销商创建一个域�账户,用户,域�Active Directory�管理员在系统中是拥有特权的账户。可能有多个管理员在系统中,管理员能创建删除其他管理员,并且修改系统中任意用户的密码。�LDAP查询与一个LDAP目录树中的节点有关,称之为做搜索基础目录。搜索基础目录是目录库中的一级的distinguished name(DN),在这里能找到所有用户。用户可以直属于根目录或者一些子目录。搜索基础目录可能是组织、组或者域用户名。用于写DN变量的语法取决于你所使用的LDAP服务。再深入全面的讨论distinguished names超出了我们文档的范围。以下表格中展示了一些在搜索基础目录中查找测试部门中用户的示例。�一个账户通常代表一个客户的服务提供者或一个大组织中的一个部门。一个账户可存在多个用户。�ApacheDS�基本目录和查询过滤器�专用主机、群集、机架和区域的行为�CN=Administrator, OU=testing, DC=company, DC=com�CN=Administrator,DC=testing,OU=project,OU=org�专用主机可用主机标签连接。如果同时需要主机标签和专用,那么VM将只会在匹配所有需求的主机上运行。如果没有专用资源可用于这类用户,那么VM就不会被不部署。�给帐户和域分配专用资源�描述�域管理员�域管理员可以对属于该域的用户进行管理操作。域管理员在物理服务器或其他域中不可见。�域�邮件地址�绑定DN示例�LDAP配置命令示例�搜索基本DN示例�明确的专用。根管理员在初始部署和配置期间给一个帐户或者域分配了一个区域、机架、群集或者主机。�姓名�对于每个账户的创建,Cloud的安装过程中创建了三种不同类型的用户账户:根管理员,域管理员,普通用户。�对于明确的专用:当部署一个新的区域、机架、群集或者主机的时候,根管理员可以点击Dedicated选框,然后选择域或者帐户来拥有这些资源。�对于隐式的专用:管理员创建的计算服务方案和在部署规划区域选择ImplicitDedicationPlanner。然后在规划模型中,管理员按照是否允许一些人当没有专用资源可用的时候使用共享资源来选择严格的或者优先的。无论何时,用户基于这个服务方案创建的VM都会位于专用主机。�LDAP服务器的主机名或IP地址和监听端口�如何给帐户或者域指定一个区域、群集、机架或者主机�如何使用专用主机�如果CloudStack的用户名是LDAP中的显示名字:�如果 CloudStack 的用户名与LDAP中的用户ID一致:�如果LDAP 服务器要求SSL, 你需要在ldapConfig命令中通过设置参数ssl, truststore和truststorepass使其生效。在使SSL 对ldapConfig 生效之前,你需要得到LDAP服务器在使用的证书并把它加到被信任的密钥库中。你将需要知道到密钥库和密码的路径。�如果你删除了一个指定了专用资源的帐号或者域,那么其中的任何主机、群集、机架和区域就会被释放。它们会变成可被任何帐户或者域共享,或者管理员可选择重新把它们指定给不同的帐号或域。�LDAP服务器�管理账户,用户和域�OU=testing, DC=company�OU=testing, O=project�优先的潜在专用。如果可以的话,VM会被部署在专用的基础架构中。否则,VM可被部署在共享基础架构中。�查询过滤�查询过滤通配符�资源所有权�资源属于帐户,而不是帐户中的单个用户。例如,账单、资源限制等由帐户维护,而不是用户维护。用户有权限操作任何在帐户中提供的资源。权限有角色决定。根管理员通过使用assignVirtualMachine API可以将任何虚拟机的所有权从一个帐户调整到另一个帐户。域或子域管理员可以对域中的VMs做同样的操作,包括子域。�根管理员�根管理员拥有系统完全访问权限,包括管理模板,服务方案,客户服务管理员和域。�SSL 密钥库路径和密码�SSL密钥库和密码,如果使用了SSL�搜索基础目录�搜索用户绑定的DN�搜索用户DN 凭证,这个凭证是授予CloudStack允许搜索LDAP服务器上的凭证�严格的潜在专用:一个主机禁止通过多个账号共享。例如,严格私自共享对于部署的某些应用是有用处的,像没有软件授权主机不能在不同账号间进行桌面共享。�系统VMs和虚拟路由器影响专用主机的行为。系统VMs和虚拟路由器由CloudStack系统账号拥有,并且它们可在任何主机上部署。它们不会伴随着明确专用主机。主机上的系统虚机和虚拟路由器使其不再适合作为严格的潜在专用主机。主机之所以不能用于严格的潜在专用主机,是因为主机已经有针对帐号(默认系统账号)的VMs。尽管如此,运行着系统VMs或虚拟路由器的主机可以被用于优先的潜在专用。�CloudStack查询过滤的通配符有:�管理员可以将VMs从专用主机上迁移到任何想要的地方,不管目标主机是不同帐号/域专用的还是共享的主机(不对任何特殊帐号或域专用)。CloudStack将生成一个警告,不过操作还是允许的。�bind DN是位于外部被允许在定义的搜索基础目录中搜索LDAP目录的LDAP服务器上的用户。当DN返回值的时候,DN和通过的密码就与LDAPbind一起被用于验证CloudStack 用户。再深入完全的讨论bind DNs超出了文档的范围。下面的表格展示了一些bind DNs的实例。�命令调用的URL必须进行编码. 这里是一个没有进行URL编码的示例:�下面的示例假设你使用活动目录, 并从活动目录架构中获得用户属性.�以下展示了与活动目录类似的命令。这里,搜索是基于一个公司的测试组,用户是根据邮件地址进行查找。�以下展示了通过ApacheDS LDAP服务器调用 ldapConfig命令的示例�接下来的几个章节解释了当填写ldapConfig参数时你需要知道的一些概念。�查询过滤器用于在外部LDAP服务器中查找一个映射的用户。为实现有效认证,查询过滤器应该将CloudStack的用户唯一映射到LDAP用户。关于查询过滤器的语法,请参考您使用的LDAP服务器文档。�根管理员可以将资源分配给指定的域或为了保证额外的安全或性能从而需要单独基础架构帐户。为了一个指定的域或账号,区域、机架、群集或者主机可以被根管理员保留。只有域或它的子域中的用户可以使用这个基础架构。比如,只有域中的用户可以在其中的区域中创建来宾虚机。�这里有几种有效的分配方式:�对于明确的专用一个已存在的区域、机架、群集或者主机:使用根管理员登录,在UI中找到资源,然后点击Dedicate按钮。|button to dedicate a zone, pod,cluster, or host|�使用邮件地址查找用户:�在CloudStack中设置LDAP验证,调用CloudStack API指令ldapConfig,并提供如下:�为了明白本章节的示例, 你需要知道调用CloudStack API的基本概念,这在开发者文档中有讲解。�要使用明确专用主机,在关联组 (参阅 `“关联组” <virtual_machines.html#affinity-groups>`_)中选择explicit-dedicated 类型。比如,当创建新VM的时候,终端用户可以选择将其运行在专用基础架构上。如果一些基础架构已经被分配给专用的用户帐号或域,那么这个操作才能成功。�用户名�多个账户中的用户名在域中应该是唯一的。相同的用户名能在其他的域中存在,包括子域。域名只有在全路径名唯一的时候才能重复。比如,你能创建一个root/d1,也可以创建root/foo/d1和root/sales/d1。�普通用户�用户就像是账户的别名。在同一账户下的用户彼此之间并非隔离的。但是他们与不同账户下的用户是相互隔离的。大多数安装不需要用户的表面概念;他们只是每一个帐户的用户。同一用户不能属于多个帐户。�使用LDAP服务器用于用户验证�你可以使用一个外部LDAP服务器,例如微软活动目录或ApacheDS进行CloudStack的终端用户验证。仅仅使用查询过滤器映射CloudStack账户与对应的LDAP帐户。查询过滤器是使用查询语法写的特别的LDAP服务器,可以包括用CloudStack提供的特殊通配符匹配通用的像用户的电子邮件地址和名称这种值。CloudStack将在外部LDAP目录树中从一个指定的基目搜索录并返回专有名称(DN)和密码匹配用户。这个信息以及给定的密码是用于验证用户。。�